We have a few hundred Windows 7 workstations on a LAN. We use AD/GPO management pretty heavily, but there are a lot of periodic and/or manual maintenance tasks we need to do that can't be done via GPO/scheduled task. For example, say I want to execute program X (which runs silently, in the background, and doesn't bother the user) on workstation Y, or say I want to execute task A on a workstation group B either on a schedule or on demand. Kicking the users off of their computers to do this (i.e. using RDP) is a no-no, and doesn't work on groups anyway.

Question:

What's the best way to do this that is robust enough that, after setup, I could give it to beginner support people (read: people who are phobic of the command line, and get confused with GUI interfaces more complicated than Firefox)? I'm a competent programmer, and, if there is a robust set of tools or framework out there for this type of task, I'd consider hacking something together myself if it didn't take too long. If there's some combination of tools or techniques that others use to make remote-workstation-administration doable by beginners, I have yet to find it.

For those who care about the "why": I'm midlevel IT, and was told to implement a remote management solution that allows arbitrary/scheduled remote execution, with confirmation that programs actually ran remotely, and the ability to view what they returned. "Why?" I asked, "Can't I just use PsExec and the task scheduler on a dispatcher machine?" "No," I was told, "'Joe' the second-week tech is going to be in charge of this one, and he needs something simple with a GUI."

What I've tried:

I've played with making a bunch of one-clickable "transfer files to remote computer and run them with PsExec" batch/VB scrips, but those tend to break down and don't easily support running on customizable groups. I've played a little bit with the Windows version of Puppet, but it doesn't support arbitrary-time remote execution (it's ability to group computers into a tree/node structure is really nice though). I've used an older version of Altiris, and, while it does a lot of what I want, it's interface is awful, it's slow, crashes a lot, and is probably too expensive for management. SwiftWater's DMS solution does some of what I want, but it's very underdeveloped, closed-source (not a deal breaker but not ideal), and I get the impression that support and reliability are lacking.

5 Answers
5

WesleyDavid's solution (using PowerShell, presumably in combination with Group Policy/Preferences) is the best solution to fit the problem as described, but that may not be the best solution overall. The questioner should probably consider a dedicated systems management package.

If management wants to prioritize ease-of-use for the tech, then it may make more sense to use Altiris, Microsoft System Center, KACE, etc. to accomplish this goal. They're more likely to give reporting that management will like (X% of workstations had program Y installed) and help the less-skilled techs. Also, while a bespoke collection of scripts will give maximum flexibility, the system management packages can probably get you most of the way to your goal in a fraction of the time. If you should run into some particular issue, there's more likely to be a community of support and consultants that can help you out.

The trade-off, of course, is money. But given that the questioner is mid-level IT, it may be more useful for him to work on other issues with a more direct business need than to work in an area that has is more of a commodity.

My network is smaller than many here, I'm sure: around 120 PCs, 20 servers. I've done scripts and GPOs because I've had to, but we're looking to get one of these up just for the patch management and easier reporting to the powers-that-be.

All the tools you need already exist and are baked into Windows 7. You just need to enable and configure them. I suggest WinRM / Remote PowerShell Commands.

However, this means that your job will be to make a collection of scripts and then perhaps drop a push-button UI on top of them so that techs can easily aim scripts at PCs and then click a button to perform a task. However, based on what you said, that should be within spec.

Microsoft / Windows is deeply committed to PowerShell, and also committed to the remote use of PowerShell to modify and manage multiple PCs. I think you're safe to work a solution out with it and its remote capabilities. PowerShell 3.0 has even more remote capabilities than 2.0.

+1 because this is what I wanted to say in my heart, but it is going to take some work to set up - For instance, automating WinRM configuration and deployment on new builds.
–
Ryan RiesApr 3 '12 at 17:12

@RyanRies Oh yes, it's free as in price, but not free as in time and effort. =) However, it does roxor soxors.
–
WesleyApr 3 '12 at 17:13

2

This is the best solution as described, but the questioner should probably consider a systems management package. If management wants to prioritize ease-of-use for the tech, then it may make more sense to use Altiris, Microsoft System Center, KACE, etc. to accomplish this goal. They're more likely to give reporting that management will like (X% of workstations had program Y installed) and help the less-skilled techs. But that's a cost-benefit issue, not strictly technical.
–
CC.Apr 3 '12 at 17:57

@CC That's actually a good point - put that as an answer and I'll upvote it when I get a new batch of votes in five hours. =)
–
WesleyApr 3 '12 at 18:03

While I don't have any free, open-source solutions for you, agent based solutions like NetIQ AppManager and Microsoft SCCM really excel at this. SCCM can run pretty much anything the remote machine can run, (VBS, Powershell, executables, etc.) AppManager on the other hand is alright, but is limited to running VBS and Basicscript. But it does have very nice scheduling options, and running an ad-hoc job on a remote machine is a drag-n-drop kinda deal.

Btw, I think this question sort of veers too far into the "open for discussion" area that the mods don't really like. shrug